Solved: Access with security problem - Qlik Community

Report Inappropriate Content · ‎2014-02-17

Hi all,

I have a problem with the security and i want to understand if it is the proper functioning of the instrument or if it is my mistake.

I have 2 groups in Windows, (Qlik Admin, Qlik User ) and two users:
- User A with che named licence, inserted in the Qlik Admin group, this user can see all the dashboard published
- user B with the document licnece. inserted in the Qlik User. Can see only one dashboard.

I have publisher two dashboard:
- GlobalDashboard, in Windows only group Qlik Admin is qualified to see it. Qlik User has the deny set.
- ReducedDashboard, Qlik Admin and Qlik User can see this doscument.

Now, if User A enter in the Qlik Access point can open with his user and password correctly all the document, the same for User B, he can open only the ReduceDocument.
The problem is when i enter in the Access point with the USER A user and password and then, i open the GlobalDocument with the USER B user and password.

I would have expected an error message as USER B has only license DOCUMENT on ReducedDashboard, instead he can access and see all data.

This behavior is correct? Something wrong in the settings?
Thanks for the support.

Peter_Cammaert · ‎2014-02-17

Yes, you can, although your method isn't exactly a best practice...

I would suggest a different setup that makes things both simpler (easier to manage) and more secure:

Use AD accounts to identify your portal visitors. SSO will allow them to visit the QlikView AccessPoint without so much as a login. Authentication will be automatic and transparent.
Use Section Access to effectively restrict access to the inbsides of a document by enalbing Data Reduction and Strict Exclusion.
In Section Access, use field NTNAME instead of USERID/PASSWORD. This brings many advantages: only a single identification field, no password management inside your document but only in AD, automatic recognition again (no more login dialogs) and you have the possibility to use your groups in the NTNAME field, instead of individual user IDs. From your details (which probably aren't complete) I get that your Section Access table may shrink to 2 or 3 rows.

Security is as tight as its weakest link: the end-user. If you start distributing multiple credentials (like you did in the example: you are User A and User B at varying times) to different users, your security measures won't always reach their intended target.

Best,

Peter

View solution in original post

Peter_Cammaert · ‎2014-02-17

Section Access is separate from everything else. There is no link between what you define in SA, and who gets a license from a QLikView Administrator. Although the two work together to grant or deny access to information.

Are you using Section Access with USERID/PASSWORD in your documents?

Peter

Report Inappropriate Content · ‎2014-02-17

Hi,
thanks for your reply.

Yes, in Section Access, i use USER/PASSWORD and if i access with the correct credential in Qlik Access Point and next in the document i see all in the right way. ( if user B access in the portal with his credential and then open the GlobalDashboard, he recive an error; if he try to open ReducedDashboard, he can access in the right way).

What i don't understend is, if USER B use for the Access Point the administrator user and password, then he can open GlobalDashboard with his user without having the right and without havind the licence on it.

thanks for your help.
Marco

Peter_Cammaert · ‎2014-02-17

If User B enters the AccessPoint with administrator credentials, he will be known throughout the site as Administrator. Since document permissions are based on AD account (I'm assuming your setup uses AD to authenticate), he will see GlobalDashboard and have permission to open it (before Section Access kicks in). I guess that Administrator has been assigned a Named CAL, so that will be the license he uses.

I do not understand yet why the USERID/PASSWORD entry in Section Access doesn't block User B from entering the document. Do you always get a Login dialog when you click on the document in the AccessPoint?

Best,

Peter

Report Inappropriate Content · ‎2014-02-17

Hi Peter,

i always get the Login dialog box but in the section access i filter the document on a fild based on the user who access. i haven't deny the possibility to see the entire document to some user. I thought enough to assign licenses Document on a document to deny the user access to other documents.

So i can't do in that way?

Peter_Cammaert · ‎2014-02-17

Yes, you can, although your method isn't exactly a best practice...

I would suggest a different setup that makes things both simpler (easier to manage) and more secure:

Use AD accounts to identify your portal visitors. SSO will allow them to visit the QlikView AccessPoint without so much as a login. Authentication will be automatic and transparent.
Use Section Access to effectively restrict access to the inbsides of a document by enalbing Data Reduction and Strict Exclusion.
In Section Access, use field NTNAME instead of USERID/PASSWORD. This brings many advantages: only a single identification field, no password management inside your document but only in AD, automatic recognition again (no more login dialogs) and you have the possibility to use your groups in the NTNAME field, instead of individual user IDs. From your details (which probably aren't complete) I get that your Section Access table may shrink to 2 or 3 rows.

Security is as tight as its weakest link: the end-user. If you start distributing multiple credentials (like you did in the example: you are User A and User B at varying times) to different users, your security measures won't always reach their intended target.

Best,

Peter

Report Inappropriate Content · ‎2014-02-17

Hi Peter,

thanks for your valuable help.
But the scenario is not so simple because I have different users on different domains. Despite this, I'll try to fix the section access.
thanks

Peter_Cammaert · ‎2014-02-17

Multiple domains shouldn't be a problem, as long as you configure an exctra DSC entry for each AD domain. That makes users from different domains visible to QlikView, and you can import them in every user selection window in QMC.

Good luck,

Peter

Access with security problem

Related Topics